Use openssl to generate the domain name certificates, SAN, subjectAltName, subject alternative name, DNS.
1 generates a secret key
openssl genrsa -out sni_test3.key 2048
2. Write a profile
The default will be used /etc/ssl/openssl.cnf
To set the subject alternative name, so the need to write a configuration file
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = country stateOrProvinceName = province localityName = city organizationName = company name commonName = domain name or ip [v3_req] subjectAltName = @alt_names [alt_names] DNS.1=test1.www.local DNS.2=test1.tls.local
3. Use key and configured to generate a certificate request
openssl req -new -key sni_test1.key -out sni_test1.csr -config test1.cnf -subj '/C=CN/ST=BeiJing/L=BeiJing/O=tong.com/OU=tong/CN=caotong_test1/emailAddress=tong@local'
View request
openssl req -in sni_test1.csr -text -noout 。。。 Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:test1.www.local, DNS:test1.tls.local 。。。
4 Use the request and the root certificate, issue a new certificate
openssl x509 -req -days 3650 -sha1 -CA ../root/root.cer -CAkey ../root/root.key -in sni_test1.csr -out sni_test1.cer \
--CAcreateserial --extensions v3_req --extfile ./test1.cnf
So, when issued in addition to providing csr, also you need to provide test1.cnf? ?
View Certificate
openssl x509 -in sni_test1.cer -text -noout 。。。 X509v3 extensions: X509v3 Subject Alternative Name: DNS:test1.www.local, DNS:test1.tls.local 。。。
more content:
[Https] [openssl] OpenSSL public key, private key and self-signed certificate
[Ipsec] [strongswan] generate a self-signed certificate with strongswan pki tools